Local area networks (LANs), such as carrier sense, ring and shared-media networks, are very common. Typically, they are found within a corporation or a university or among a number of closely located sites.
The type of LAN determines how the elements of the LAN are connected together. A typical carrier sense multiple access LAN is shown in FIG. 1. It includes a hub 10 to which are attached a plurality of stations 12, such as mainframe computers, workstations and personal computers. The hub 10 typically controls the communication between the stations 12 and includes in it a data bus along which messages are sent. Thus, if station 12a wants to send a message to station 12b, it first sends the message to hub 10 which provides the message to the data bus. In a carrier sense network, only the destination station, station 12b, can process the message.
Each type of network typically includes a number of layers of communication. For example, according to the Reference Model of Open Systems Interconnection (OSI), there are the following seven layers: physical, data link, network, transport, session, presentation and application.
As is known in the art, the physical layer is the elements which provide the physical interconnection of the stations 12 and the hub 10. It simply sends and receives digital data.
The data link layer, or medium access control (MAC) layer, removes any noisy data, retransmits poorly received data and breaks the digital data received by the physical layer into packets of data for later processing by the higher layers. The packets of data typically include physical source and destination addresses as well as the logical source (or user) and destination information and the message being sent.
The network layer determines the routing of packets of data between stations. The other, higher, layers provide direct communication between the physical source and destination as well as the logical source and destination. The headers and control information which form part of messages on the network are utilized, in the higher layers, to determine the destination station and the user, the final destination, who has an account on the destination station.
A full description of network communication can be found in the book Computer Networks by Andrew S. Tanenbaum, Prentice-Hall, Inc. Englewood Cliffs, N.J., 1981.
It is known that a network can be accessed by an unauthorized user. Networks and individual stations 12 typically reduce this problem by requiring that each user be identified by a user name and a password. The sophistication of the user name and password depend on the level of security required. However, an unauthorized user can breach the security if he can connect his computer to the network and if he knows, or can guess, the username and password of another user. This type of security is known as "end user" security.
Since data freely move about the data bus of the network, anyone who can access the data bus can process the data to read the messages. A network analyzer 14 is one apparatus which can process network data. It can be utilized to determine if any unauthorized users attempted to access the network. If an unauthorized user is found, he can be shut off from the network. However, since the analysis operation is performed after the messages are sent on the network (i.e. off-line), the unauthorized user cannot be shut down as soon as he begins to operate. Thus, the unauthorized user has a window of at least several seconds to operate.
European Patent Publication 431,751-A1 describes a multiport repeater for a LAN. It operates to ensure that only designated receivers receive their messages. In effect, it ensures that the network analyzer 14 can not "eavesdrop" on the data moving about the data bus. To do this, Publication 431,751-A1 corrupts each message for all destinations except the designated destination.
Despite many attempts to tighten network security, it is still a widespread problem.